TLS Hardening Checklist: 12-Point Server Audit
Overview
12-point audit checklist for TLS server configuration — protocol versions, cipher suites, certificate chain, HSTS, OCSP stapling, and key sizes. Covers Nginx, Apache, and IIS.
Table of Contents
- Protocol Version Enforcement
- Cipher Suite Selection
- Certificate Chain Completeness
- Key Size Requirements
- HSTS Configuration
- OCSP Stapling Setup
- Certificate Transparency
- Session Resumption Security
- Nginx Configuration
- Apache Configuration
- IIS Configuration
- Automated Testing
Overview
A valid certificate doesn’t mean your TLS configuration is secure. Protocol downgrade attacks, weak cipher suites, missing HSTS headers, and broken OCSP stapling are all common issues that pass basic connectivity tests but fail security audits. SSL Labs might give you an A rating today, but configuration drift after the next server update can silently degrade your score.
This 12-point checklist provides a repeatable audit procedure for TLS server hardening. Each point includes the specific configuration directive for Nginx, Apache, and IIS, along with the rationale for why it matters and how to verify it’s working correctly. Designed to be run quarterly or after any server software update.
The checklist targets an A+ rating on SSL Labs and compliance with NIST SP 800-52 Rev. 2 guidelines.
What’s Included
- Protocol enforcement settings to disable TLS 1.0/1.1 and SSLv3 across all server platforms
- Cipher suite ordering that prioritizes AEAD ciphers and forward secrecy
- Certificate chain verification to ensure intermediates are served correctly
- HSTS configuration with preload eligibility requirements
- OCSP stapling setup and verification for Nginx, Apache, and IIS
- Automated testing commands using testssl.sh, nmap, and openssl s_client